[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [atomic-devel] kubernetes pod can't access secret volume due to avc

From: Eric Paris <eparis redhat com>
To: Tobias Florek <atomic ibotty net>, atomic-devel projectatomic io
Subject: Re: [atomic-devel] kubernetes pod can't access secret volume due to avc
Date: Fri, 17 Jul 2015 08:29:30 -0500

Sadly, no, the only step you missed was disabling SELinux.

https://github.com/GoogleCloudPlatform/kubernetes/issues/2630

Is where Paul is tracking his work around these problems.

On Fri, 2015-07-17 at 09:50 +0200, Tobias Florek wrote:
> Hi,
> 
> using the following atomic host version I can't access secret volumes 
> 
> from within pods due to an AVC and selinux denying it. Is there some 
> setup step that I am missing?
> 
> os-version:
>   atomic host status:
>     2015-07-15 23:33:20     22.61     db540a53ba     fedora-atomic
>   i.e.
>     kubernetes-0.20.0-0.3.git835eded.fc22.x86_64
>     docker-1.7.0-6.git74e7a7a.fc22.x86_64
>     selinux-policy-3.13.1-128.4.fc22.noarch
> 
> 
> The AVC (a little redacted) looks like that
> 
> type=AVC msg=audit(1437118925.236:8577): avc:  denied  { read } for 
> pid=16637 comm="fedora" name="key" dev="tmpfs" ino=680330 
> scontext=system_u:system_r:svirt_lxc_net_t:s0:c133,c544 
> tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
> 
> 
> audit2allow recommends (not to)
> 
> #============= svirt_lxc_net_t ==============
> 
> #!!!! WARNING: 'var_lib_t' is a base type.
> allow svirt_lxc_net_t var_lib_t:file read;
> 
> 
> see the following example to replicate the behavior.
> 
> sample replication controller:
> 
> apiVersion: v1
> kind: ReplicationController
> metadata:
>    labels:
>      name: test
>    name: test
> spec:
>    replicas: 1
>    selector:
>      name: test
>    template:
>      metadata:
>        labels:
>          name: test
>      spec:
>        containers:
>          - args:
>              - /bin/bash
>              - "-c"
>              - "whoami; ls -hlR /config; getfacl /config; getfacl 
> /config/key; cat /config/key"
>            image: fedora
>            name: test
>            volumeMounts:
>              - mountPath: /config
>                name: config
>                readOnly: true
>        volumes:
>          - name: config
>            secret:
>              secretName: test
> 
> 
> and the following secret
> 
> apiVersion: v1
> kind: Secret
> metadata:
>    name: test
> type: Opaque
> data:
>    key: dmFsdWUtMg0K
> 
> 
> Cheers,
>   Tobias Florek
> 
> PS: unfortunately I will be gone for 10 days and will not be able to 
> answer before.
>

Follow-Ups:
- Re: [atomic-devel] kubernetes pod can't access secret volume due to avc
  - From: Tobias Florek

References:
- [atomic-devel] kubernetes pod can't access secret volume due to avc
  - From: Tobias Florek

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]